Earlier this year, Verizon released its annual Data Breach Investigations Report (DBIR), which examines the current state of cybersecurity through the lens of emerging and continuing trends. As AI becomes increasingly ubiquitous across nearly every industry, it comes as little surprise that the technology has become a fixture in the report. And while Verizon is careful to note that adversaries are not yet using AI to create entirely new attack tactics, they are using the technology to increase both the scale and effectiveness of their methods. Tactics like social engineering are already difficult to stop—and attackers leveraging AI to generate more convincing phishing emails or SMS scams are a real problem.
But perhaps the most pressing issue when it comes to AI is the lack of effective governance practices. The DBIR highlighted a wide range of AI governance issues, including widespread use of generative AI solutions outside of corporate policy and enforcement capabilities, leading to significant security blind spots. A separate research report published this year noted that less than half of organizations have specific strategies in place for combating AI threats. With AI usage continuing to expand and technology like agentic AI becoming increasingly mainstream, organizations cannot afford to wait. They need a plan for AI governance—before it’s too late.
New Challenges Put AI Governance in the Spotlight
As AI models become faster and more advanced, the speed with which organizations are able to implement and utilize them is also increasing. This has allowed those organizations to create a wide range of new efficiencies within their business processes, but it has also created risk. The obvious advantages created by certain AI capabilities have led to a “don’t get left behind” mentality, pushing for quick AI adoption—sometimes before it has been properly vetted. Other AI technologies, including generative AI tools like ChatGPT or Perplexity, are widely used and publicly accessible—making them difficult for employers to control. As the Verizon DBIR notes, employers have little oversight for what employees share with ChatGPT if they are using personal devices and non-corporate accounts.
That’s a significant problem, because data leakage remains one of the most common (and potentially damaging) issues with AI usage today. Employees may not understand whether certain data is safe to share with AI-based solutions, which can result in sensitive or confidential data making its way into public data models (or being stolen by crafty hackers via prompt manipulation and other emerging strategies). In fact, Gartner predicts that by 2027, an astonishing 40% of all breaches will be caused by improper generative AI usage, specifically citing the issue of users conducting unauthorized data transfers across borders. When it comes to AI, businesses are slowly realizing that security isn’t even their biggest challenge—it’s governance.
Establishing Strong AI Governance Practices
For organizations seeking to improve their approach to AI governance, it’s important to note that change starts at the top. Business leaders need to fully buy into the initiative, because they are the ones who set the tone for the organization—and more importantly, its risk appetite. When establishing governance practices, it’s important to understand the overall risk tolerance of the organization. That means the organization itself needs to have a “risk culture,” ensuring that employees are always considering the risks associated with their decisions. It’s not enough to understand the potential advantages that come with AI usage—businesses need to know the risks that come with different AI tools, understand whether they align with the organization’s overall risk tolerance, and consider the operational and reputational consequences of shadow AI and/or approved AI model misuse.
This process starts with intake. That means working with different business units to understand where AI is currently being used—as well as where employees would like to use it in the future.
It’s important to have a committee specifically working to develop acceptable use policies for AI—and a number of independent advisory organizations have already provided guidelines that can help those committees better understand how to move forward. Organizations like NIST and OWASP provide high-level frameworks that—while not comprehensive—can at least help businesses move forward armed with a more comprehensive understanding of the risks posed by AI and how to successfully navigate them. Armed with that knowledge, the AI committee should be able to approve and reject use cases from a more informed perspective.
Organizations that already have a robust risk management program will have an easier time implementing strong AI governance. As technology has advanced, the regulatory and compliance environment has worked (with varying degrees of success) to establish minimum security and data privacy standards. Fortunately, today’s organizations have access to a wide range of solutions that help automate elements of the risk management process, which can be a significant help when it comes to establishing AI guidelines. The ability to continuously map acceptable use policies and AI use cases against existing standards and frameworks can help organizations more easily visualize whether they are adhering to AI best practices. Perhaps more importantly, it also provides them with a basis for comparison when it comes to potential partners—allowing businesses to move on from vendors using AI in risky or irresponsible ways before they can cause real damage.
Put AI Governance in Place Before It’s Too Late
As AI becomes more powerful, organizations across the globe are seeking to quickly identify ways to leverage its advanced capabilities to further their own business goals. But AI comes with risks—and organizations that have not built a culture of risk to inform their decision-making processes may fail to identify the potential pitfalls that come with the technology. Today’s organizations cannot afford to wait until it’s too late. By emphasizing risk management and establishing clearly defined governance policies and practices based on accepted AI risk guidance, business leaders can ensure they are getting the most out of their AI solutions without exposing themselves to significant—and unnecessary—risks.
